(Archived) How Evernote Should Have Responded to security issue

Recommended Posts

I live in Evernote. Evernote is mission-critical to my business. Here's how they should have handled this situation:

Send out an email to their 45M users before they configure the client to pop up a "change password" message. Maybe not everyone will have read that email before they use Evernote but at least Evernote will have made an attempt at warning them.

The client message should say that the user needs to change their Evernote account password. It should not display the email address associated with their Evernote account with the wording "Your password seems to have changed...". That message is completely inaccurate and confusing to the ordinary user.

Share this post

Link to post

The client message was confusing, and I think its because the clients were never designed to handle a password reset due to a security breach and they had no way to transmit a clear message. Hopefully this won't happen a second time

Share this post

Link to post

We're actually trying to do both those things. There are quite a few moving parts and getting a bunch of clients to suddenly patch and release (regardless of where they are in their development cycle) can be challenging.

Some of the clients are updated to help guide you through the process and others will be updated soon. I'm sure there are edge cases where we don't give the most graceful UI, but we've tried to be as helpful as possible. We've also begun sending out email, check your inboxes!

cheers!

1

Share this post

Link to post

As soon as I saw the message, I assumed a breach, but I am in IT so guess thats the way I'm wired. What I am impressed with and shouldn't be lost is that Evernote responded swiftly and a forced change of passwords globally which both fixed the issue and was even possible in a timely manner.

I've only been using Evernote for a week, having spent it digitizing our filing cabinet to Evernote. After reading much about Evernote security online & in forums, this response tells me I made the right choice in Evernote.

Of course things can be done better and improved all the time, but good job the Evernote team imho!

Share this post

Link to post

We're actually trying to do both those things. There are quite a few moving parts and getting a bunch of clients to suddenly patch and release (regardless of where they are in their development cycle) can be challenging.

Some of the clients are updated to help guide you through the process and others will be updated soon. I'm sure there are edge cases where we don't give the most graceful UI, but we've tried to be as helpful as possible. We've also begun sending out email, check your inboxes!

cheers!

Certainly, doing all this on short notice can be challenging. With all the high profile security breaches in cloud services in the past year, was any consideration given that this might be a problem for which a plan should be in place before it happened? It's almost a given that a security breach will occur. I know bad things happen to good companies but I hope that changes will occur quickly and even that two factor authentication will be prioritized in the near future.

Share this post

Link to post

Hi Bankrobber, You mean those e-mails are being sent by hand. That's definitely a lot of typing. I'll better wait then, don't I. H.

You assume that it's premium users in Europe, but I am a premium user in the U.S., so I doubt that it's anything to do with location, though I wonder whether you folks in non-English speaking countries get translated emails in your preferred language...

Share this post

Link to post

Hi Bankrobber, You mean those e-mails are being sent by hand. That's definitely a lot of typing. I'll better wait then, don't I. H.

You assume that it's premium users in Europe, but I am a premium user in the U.S., so I doubt that it's anything to do with location, though I wonder whether you folks in non-English speaking countries get translated emails in your preferred language...

Oy localization. Yeah we did our best to get as much of the content localized as possible. I believe we've localized the blogpost into all major languages as well as the emails, but that's not really my department.

Share this post

Link to post

Hi Bankrobber, You mean those e-mails are being sent by hand. That's definitely a lot of typing. I'll better wait then, don't I. H.

You assume that it's premium users in Europe, but I am a premium user in the U.S., so I doubt that it's anything to do with location, though I wonder whether you folks in non-English speaking countries get translated emails in your preferred language...

Jeff, Do I sound like I need my English e-mail translated to me or that I run my messages through Google Translate before posting them here?

I do apologise for this unfriendly post to the other users on this forum but the utterly condescending replies of some of those 'EN Evanglists' are annoying. Regards. H.

Share this post

Link to post

@dlu Thanks for your posts on this thread. I guess that makes you even more of a lightning rod than ever. :-)

I would like to see some kind of "post mortem", including 3 things:

How this happened.

Decisions made as the situation unfurled.

Lessons learned.

I realise - having dealt with similar things myself in the past when I did Security more than Performance for Enterprise customers - that some of this has to remain private. That's fine. You have to balance that against reputational and trust considerations. I'm confident Evernote will get it right and be able to genuinely give the message "we learned a lot, changed things that should reduce the risk and impact in future, but realise there WILL be further threats to the service we'll have to deal with".

Share this post

Link to post

@Feedback Good detective work. I hope this fits into my points 2 and 3: Someone made the decision to use this mailer. And there is probably a trade-off in play and a lesson of some sort to be learned. (I'm being vague as a lot of this is in the "none of my business" category and I'm not party to what Evernote went through as this unfurled.

Share this post

Link to post

Jeff, Do I sound like I need my English e-mail translated to me or that I run my messages through Google Translate before posting them here?

I do apologise for this unfriendly post to the other users on this forum but the utterly condescending replies of some of those 'EN Evanglists' are annoying. Regards. H.

Sorry -- my reply was not meant to be condescending in any way. I should have probably quoted your other post:

Premium users in Europe have obviously not been included in the e-mail notification programme. Regards. H.

All I was saying was that I, an American Evernote premium subscriber, had not yet received an email at that time either. I didn't think that you could therefore conclude that absence of the notification email had anything to do with location of the user.

Share this post

Link to post

Evernote's broadcast that was emailed to users sadly fits a classic phishing message.

Rather than being mailed from evernote.com and having all links pointing to evernote.com, the message and the links actually originated from and connect to

another site: mkt5374.com

The registrar for mkt5734 is MarkMonitor.com

The administrative and technical contacts are

Silverpop Systems

200 Galleria Parkway Suite 750

Atlanta GA 30339

This domain was only registered on 26 September 2012

The IP addresses are also different, if you check the DNS record A listing.

mkt5374.com maps to 74.112.69.20

evernote.com maps to 204.154.94.73

The evernote.com domain is registered to and have administrative and technical contacts at:

Evernote Corporation

305 Walnut Street

Redwood City

CA,94063

Evernote has violated a major principle of internet security that has been widely touted since phishing incidents began!

Never using a link that points to a site in a different domain than the one from which the message and the content is supposedly are sent is an extremely basic security rule.

Shame on Evernote for mailing a security broadcast with password reset links that are indistinguishable from phishing links!

Shame on Evernote for dragging their feet and not implementing Two Factor Authentication (2fa) in a timely manner!

This breach would not have been prevented by (2fa). However, 2fa would prevent against phishing emails - such as those just emailed by Evernote itself.

;-(

Evernote's broadcast that was emailed to users sadly fits a classic phishing message.

Rather than being mailed from evernote.com and having all links pointing to evernote.com, the message and the links actually originated from and connect to

another site: mkt5374.com

The registrar for mkt5734 is MarkMonitor.com

The administrative and technical contacts are

Silverpop Systems

200 Galleria Parkway Suite 750

Atlanta GA 30339

This domain was only registered on 26 September 2012

The IP addresses are also different, if you check the DNS record A listing.

mkt5374.com maps to 74.112.69.20

evernote.com maps to 204.154.94.73

The evernote.com domain is registered to and have administrative and technical contacts at:

Evernote Corporation

305 Walnut Street

Redwood City

CA,94063

Evernote has violated a major principle of internet security that has been widely touted since phishing incidents began!

Never using a link that points to a site in a different domain than the one from which the message and the content is supposedly are sent is an extremely basic security rule.

Shame on Evernote for mailing a security broadcast with password reset links that are indistinguishable from phishing links!

Shame on Evernote for dragging their feet and not implementing Two Factor Authentication (2fa) in a timely manner!

This breach would not have been prevented by (2fa). However, 2fa would prevent against phishing emails - such as those just emailed by Evernote itself.

;-(

We used to send our announcements through software we run locally, but we're in the middle of a switch to SilverPop for delivering newsletters and announcements. They were the only way we could deliver 40 million emails in less than 24 hours, and we didn't have the experience to configure that mailing the way we should have. In the future, we'll absolutely make sure that we don't send similar emails with sketchy-looking links.